/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsWin 32/Plage 2000.Worm
This is a new worm that spreads through e-mail. It arrives as a reply to an e-mail message that you’ve sent. The reply message contains the complete text of the message that you’d sent and has the following structure:
P2000 Mail auto-reply:
“I’ll try to reply as soon as possible. Take a look to the mail attachment and send me your opinion!”
Get your free P2000 mail now!
The P2000 domain name could be substituted by other domain names found in the inbox of the computer sending the message.
The worm is attached to the message under one of the following names–pics.exe, images.exe, joke.exe, PsPgame. exe, news_doc.exe, hamster.exe, tama gotxi.exe, searchURL.exe, setup.exe, card.exe, billgt.exe, midsong.exe, s3msong.exe, docs.exe, humor.exe, fun.exe
On execution, the worm will present itself as a self-extracting WinZip file:
Pressing any of the buttons on the dialog box will display one of these two messages:
In the background, the worm will copy itself to the Windows directory under the name
INETD.EXE. Under Win 95/98, it modifies the WIN.INI file’s run load to load itself into memory as INETD.EXE. In Win NT, it adds itself to the registry HKEY_CURRENT USER_ \Software\Micro soft \WindowsNT \ CurrentVersion\Win dows\run\=
When the system rebooted, the worm gets executed automatically from the Windows directory, starts up without displaying any user interface elements, and goes resident.
Every five minutes, it tries to establish a connection to the running Outlook or Exchange client, and sends a reply as above to all new e-mails. On a Wednesday, the worm tries to display a special message:
The accompanying text says, “Fight against the plage of inhumanity. This is Plage 2000 coded by Bumblebee/29a._Plage 2000.”
No destructive payload has been observed so far.
To clean the worm, delete the executable file that has any of the names mentioned above. If the worm is resident, remove the registry entry or the WIN.INI entry, reboot, and delete the executable file.
W97M/Armagidon.A
Also known as W97M/Armagid.A, this is a Word macro virus that infects documents and the normal template (Normal.dot). Infected documents contain two macros: Document_Open and Document_New stored in the class module
ThisDocument.
An infected template contains an additional macro module called Armagidon that contains eleven additional macros. The virus uses a temporary file called armagidon.bas to create the macro module
Armagidon.
When an infected document is opened, the code from the Document_Open macro is executed and the virus infects the normal template.
Document_New contains a non-destructive payload that replaces the Windows mouse pointer with the Red Cross sign on May 8 (Red Cross Day). When the FilePrint function is executed, the virus performs some character replacement.
InoculateIT 7.68 detects this virus as “W97/WordIns.Variant”, while Norton Anti Virus detects it heuristically as
“Bloodhound.Wordmacro”.
Win 32/New Apt.73728.Worm.D
Also called NewApt.D, this worm is a variant of NewApt.A, which was first detected in December 1999. Its spreads over e-mail.
Depending on the e-mail package you use, you’ll receive one of the following messages:
“Hey, your lame client can’t read HTML, haha. Click attachment to see some stunningly HOT stuff” or “http://stuart.messagemates.com/index.html Hypercool Happy New Year 2000 funny programs and animations…We attached our recent animation from this site in our mail! Check it out!”
Clicking on the link inside the message will take you to a site other than messagemates.com. The actual message mates.com Website has nothing to do with this worm.
The attached file could have lots of names, some of which could be–Amateur.exe, Asians.exe, Babes.exe, Bizarre.exe, Cartoons.exe, Ebony.exe, Fatladies.exe, Fetish.exe, Group.exe, Hidcam.exe, Hidcams.exe, Males.exe, Mature.exe, Miscellan.exe, Mixedbag.exe, Toys.exe, Weird.exe, etc.
Running the attachment will display an error message about a missing file called giface.dll. The worm meanwhile will search Netscape, Outlook, and Outlook Express settings to locate the mail server. It’ll then connect directly to the mail server, and send using the SMTP protocol.
When the worm is run, it creates a set of registry keys that record the actions already performed by the worm, and when the worm is run at a later date, it checks the registry and doesn’t perform the tasks that have already been completed. The registry key is HKEY_CURRENT_USER\Software\ Microsoft\Windows. Subkeys include cat, cd, itn, jk, lms, mda, mde. It also creates an entry named “Scandsks” under the key HKEY_CURRENT_USER\SOFTWARE\ Microsoft\Windows\Run and makes it point to one of the executables mentioned above.
On March 2, it’ll try to dial telephone numbers stored in the worm code to connect to a list of Web servers.
The worm deactivates itself, that is, removes its registry key on July 12.
To cure an infected system, the executable has to be deleted.